Syed Jahanzaib Personal Blog to Share Knowledge !

February 16, 2017

Modifying ‘tombstoneLifetime’ value in Active Directory

Filed under: Microsoft Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 9:40 AM

Default lifetime for tombstone.jpg

What is tombstone Lifetime?

The AD tombstone lifetime determines how long deleted items exist in AD before they are purged, for example users  or other objects. The default value in Windows 2008 is 180 Days.

Why I need to modify its default value,  ?

We want to increase it for some audit purpose, specially to track deleted objects (example how many Users were deleted in last 1 or 2 years)

Let’s Start …

METHOD # 1 – Using GUI Method

Execute ADSIEdit tool by


  • Now using ADSIEdit tool, connect to your domain controller.
  • Navigate to CN=Directory Services , Right click and select Properties.
  • Find tombstoneLifetime and Click Edit,
  • Now define value in days for how long you want to increase the value. I wanted 2 years so I put 630 . This values must be in DAYS.

As showed in the image below …


Note: By Some mistake, i typed 630, whereas the actual number for 2 years is 730, so change it accordingly

METHOD # 2 – Using PowerSHELL Command

Setting Two Years Tombstone Lifetime

Import-Module ActiveDirectory
$ConfNameContext = Get-ADRootDSE | Select-Object -Expandproperty configurationNamingContext
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$ConfNameContext" -Replace @{'tombstonelifetime'='730'}

Querying tombstoneLifetime value via command


# Using dsquery command

dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=agp1" -scope base -attr tombstonelifetime





(get-adobject “cn=Directory Service,cn=Windows NT,cn=Services,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)” -properties “tombstonelifetime”).tombstonelifetime


Import-Module ActiveDirectory
$ConfNameContext = Get-ADRootDSE | Select-Object -Expandproperty configurationNamingContext
Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ConfNameContext” -properties tombstonelifetime |Format-List

Note / z@iB:

I found out that all commands doesn’t show default tombstoneLifetime. Once I modify the value, then I was able to see the value using above commands.

Syed Jahanzaib


  1. sir, please tell me to bypass radius manager login page to get unlimited access to wifi, or to access radius manager admin panel to get unlimited usage of wifi, which is restricted to just 4 gb traffic, is there any way to get access of unlimited traffic


    Comment by fahad ahmed — May 3, 2017 @ 2:08 PM

  2. Dear Jahanzaib,

    Thank you very much, please guide how i view Employee Id from active directory users and computer via ADSIEdit.msc, step by step.



    Comment by sirjeee — November 27, 2017 @ 12:14 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: